Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Alexander_Wilke
Advisor

How to push new host objects (in a group) to ab Gateway without policy installation in R80.20?

Hello,

we had several discussions with support partners and checkpoint presales but we did not get a fully satisfied answer to our question or "problems".

Our idea is that we have different firewall rules with "group objects" in source or destination containing "host objects" or "network objects". We are interested in a way to put objects within this group and these objects will be pushed to the gateway (immediately) without Policy Installation or without installing other changes which were made by other administrators on the same policy package (but not the same rule or object groups).

So as far as I understand this feature is already implemented if you for example connect R80.20 MDS with a Cisco ACI APIC and you create a datacenter object. Then this object contains EPGs and these EPGs and there content will be pushed to the gateway within seconds. So if someone is doing changes on the Cisco APIC and puts an object into an EPG than this is synchronized with CheckPoint MDS and the ne content of the EPG will be pushed without Policy Installation and within seconds to the gateway, right?

So what we are looking for is a solution doing that without any third party. We do not want to connect or use ACI APIC or VMware NSX.

In the very best case we wanto:
1.) Create the rule in the firewall policy containing the group objects, publish it and install it (only the very first time)

2.) we want to add new objects to these existing groups and these objects should be pushed to the gateway WITHOUT pushing any other changes made on the policy

3.) Best way would be to add objects to these groups using the R80.20 API.

I would really appreciate any help on this topic. I think it is called "Adaptive Security" - do you have any documentation for htat you can offer me?

Regards

Alexander Wilke

7 Replies
G_W_Albrecht
Legend Legend
Legend

Afaik, Policy installation is still the same process as found in How To Troubleshoot Policy Installation Issues. So changes without policy installation is rather a very exceptional case...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Dor_Marcovitch
Advisor

if you want on the fly enforcement with no policy install try and take a look on using the identity awareness blade.

use similar servers with an access role.

using syslog / other api calls you can populate the access rolse with the new IPs of the servers.

another way is using dynamic objects but it will require a policy installation , the good thing about it is that you can use 1 object on the policy and each FW will populate the object with it's local configuration of the objects, I think it is in some file on the FW

another option is try to configure a layer policy only  for this use, make the changes using the API and do install policy only for those changes. I think it is possible, try and check.

why are you so much avoiding install policy?

Alexander_Wilke
Advisor

Hi,

the reason is not that we do not want to install Policy in general but we cannot do the Policy Installation every time every day. We have different sources or we plan to have them which can change Firewall Policy.

So one source is an automation tool which deploys new servers in the datacenter and is connected to many different other internal destinations. This tool should only do the API call to R80.20 and push an object into a group. This change should be pushed immediately to the firewall gateway. There is no firewall administrator involved for any further checks.

In parallel to this tool we do manual policy changes. These change often take long time to finish. re-organization of rules. deleting old objects and defining new complex rules and so on. These changes need extra checks from an additional administrator. So several different administrators modify the policy and we want to avoid that these changes which are perhaps not checked by another administrator for whatever reason will be installed on the gateway.

Unfortunately our policy does not allow it that we seperate these tasks into different layers.

I am not sure if IA can help us. Do you have any documentation for this specific scenario. I am not familar with IA.

My hope was that we can define an "group object" which has a specific feature and if we put an object into this group it will be pushed to the gateway immediately. So this feature is already existent in the MDS/GW because you can do this with other 3rd party vendors like ACI and vmware etc.

Regards
Alexander Wilke

0 Kudos
G_W_Albrecht
Legend Legend
Legend

To be pushed to the GW usually needs a policy install for CP products, that is the point here. New host objects in policies have to be verified first, then converted from Dashboard configuration to an intermediate <policy_name>.W. This is translated to the INSPECT language and compiled with INSPECT compiler. Now, a dedicated process compiles it into a temporary file called *.cpp. This ends the SMS process and the *.cpp is transferred to the GW. The commit phase then transforms it into the current policy in a seperate process.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Dor_Marcovitch
Advisor

check this feature

https://community.checkpoint.com/thread/8800-how-to-use-identity-awareness-tags-in-r8020m1

If it survives reboot than you are OK to use it.

if you want to create host objects policy installation is mandatory.

you can use both of the path, create the objects using the API for the next install policy and for documentation.

use the IA Tagging API for the immediate changes to be apply without policy installation

0 Kudos
Alexander_Wilke
Advisor

Hi,

you say that after creating a host object Policy Installatis mandatory. We are using global objects and these objects will be "copied" from global to every CMA. This is how it works in R77.30. Is this process the same in R80.20 and do we then still need the policy installation with global objects? Just to make sure I understood it correct.

Is there a difference between new group objects, new host objects or new host objects in existing group objects?

Thanks Günther and Dor for clarification and explaination. I will check the IA doc you linked.

Regards

Alexander Wilke

0 Kudos
Alexander_Wilke
Advisor

Hi again,
I did some tests with R80.20 and VMware vcenter (Datacenter Object). If I imported a VMware object (Virtual machine) I can see its IP address in the rule base and if the IP changes on VM the object in the rulebase changes its IPs a few seconds later, too. This is fine.

My questions are:

  1. is it possible to auto import VMs from vcenter and put these IPs/objects into a group. I am looking for something like "*win*" to import automatically all VMs which have "win" in its hostname or "win" in its description.

  2. How can I check if the IP of an VMware object which has changed has already changed on the gateway? If I add an VMware object with IP 10.10.10.10 and push policy then the gateway knows IP 10.10.10.10. If the IP in VMware vcenter changed this will be synced to the MDS but how to check if it changed on the gateway? Is there any possibility to do so?

Regards

Alexander

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events